TF-CSIRT/FIRST TC Team update

UNINETT CERT

January 29th 2008

Per Arne Enstad

2

UNINETT? What? where?

� UNINETT develops and operates

the Norwegian national research

network, which links together

domestic educational and research

institutions and connects them into

international networks

3

UNINETT

� Serving 75+ customers

� Approx. 300 POPs

� Approx. 400K end users

4

5

Our main product:

6

UNINETT CERT

� Established 1995

� Constituency:

� All customers within our address space

� Virtual team organized within the NOC

� Core team: 4 persons working part time

� Member of FIRST since 2000

� TI Accredited Team since 2001

7

UNINETT CERT

� Work profile:

� Incident prevention

� Security audits

� IRT-courses

� Best practices

� Incident handling

� Mostly coordination, but still a few”hands on” cases

� Workload: approx 5000 incidents/year

8

UiO CERT

� University of Oslo is by far ourlargest customer

� Established 2002 but wentdormant for various reasons

� Revitalized in 2006 and at thispoint:

� TI Accredited Team Jan ’08

� Core Team: 8 persons + access to other resources when required

9

Current development efforts

� Further RTIR-work

� Extentions and integration

� Passive DNS monitoring

� Flow vizualisation

� Ongoing masters thesis

� Anomaly detection

� Testing techniques of varying complexity

� Child Sexual Abuse Anti-Distribution

Filter

10

Current development efforts (2)�

� Scripting and extending nfdump/nfsen

� e.g. internal per-organization aggregation

� IPv6 flow collection

11

TF-CSIRT

� UiO CERT and UNINETT CERT

will host the May ’08 meeting in

Oslo

� Stay tuned on the TERENA

website for details

� Welcome!

12

Questions?